In the same week that France confirmed 11.7 million government ID records were stolen, two major American organizations confirmed their own breaches — and together they make it one of the most damaging 7-day stretches for consumer data in 2026. ADT, the home security company protecting millions of American homes, confirmed on April 27 that ShinyHunters stole data on 5.5 million customers. McGraw Hill, one of the world’s largest education publishers, confirmed that the same group exposed 13.5 million accounts. Total records exposed: over 23 million. Attack vector for ADT: a single phone call to one employee.
These are not abstract statistics. ADT’s breach involves names, phone numbers, addresses, and in some cases partial Social Security numbers and dates of birth for the people whose homes ADT monitors — people who trusted a security company with their most sensitive location and contact information. McGraw Hill’s breach involves students, educators, and educational professionals across the United States and globally.
The ADT Breach: A Masterclass in Social Engineering
The ADT breach is the more technically instructive of the two, because ShinyHunters told BleepingComputer exactly how they got in — and the answer is a reminder that the most sophisticated network defenses can be bypassed by calling the right employee and saying the right things.
Step 1: The Vishing Call
ShinyHunters initiated the attack with a voice phishing (vishing) call targeting an ADT employee. The caller impersonated a trusted party — the specific pretext has not been publicly disclosed — and manipulated the employee into providing credentials or taking an action that gave attackers a foothold.
Vishing works because phone calls carry a social obligation that emails do not. A human voice, a sense of urgency, and a plausible scenario (IT support, vendor verification, account security check) consistently defeat employees who would immediately recognize the same request in email form as a phishing attempt. The personal, real-time nature of the interaction creates psychological pressure that bypasses rational scrutiny.
Step 2: Okta SSO Compromise
The vishing call gave attackers access to the employee’s Okta single sign-on (SSO) account. Okta is a widely used identity platform that gives employees access to multiple corporate applications through a single login. For attackers, compromising an Okta account is a master key — it opens every application the targeted employee can access.
This is not the first time Okta has appeared at the center of a major breach. The same attack vector — social engineering an employee into providing Okta credentials or an authentication session — was used in the Caesars Entertainment breach in 2023 and the MGM Resorts breach the same year. ShinyHunters has demonstrated a consistent, effective methodology: call an employee, get Okta access, pivot to every connected system.
Step 3: Salesforce Data Exfiltration
Through the compromised Okta account, attackers accessed ADT’s Salesforce instance — the customer relationship management system where ADT stores customer information. The exfiltrated data included:
- Full names
- Phone numbers
- Mailing addresses
- In a subset of cases: dates of birth and the last four digits of Social Security numbers or Tax IDs
ADT has stated that alarm system information, financial account data, and payment information were not part of the breach. The company also confirmed that home security system status and monitoring data were not accessed — meaning the breach does not create a direct risk of homes being targeted based on when security systems are armed or disarmed.
But the combination of name, address, phone number, and partial SSN is sufficient for identity fraud applications, targeted phishing, and SIM-swap attacks. For 5.5 million customers, that risk is now elevated.
The McGraw Hill Breach: 13.5 Million Accounts, 100GB
McGraw Hill’s breach is larger by volume. The education publisher confirmed a data breach following an extortion attempt, initially describing it as involving “a limited set of data from a webpage hosted by Salesforce on its platform.” The understated corporate disclosure did not capture what followed.
ShinyHunters subsequently distributed more than 100 gigabytes of McGraw Hill data publicly — containing 13.5 million unique email addresses across multiple data files, with additional fields including names, physical addresses, and phone numbers appearing in some record sets.
The McGraw Hill breach affects students, educators, school administrators, and institutional buyers who have used McGraw Hill’s educational platforms, including Connect, ALEKS, and other academic tools widely used in US colleges and universities.
The breach’s educational data dimension is worth noting: student records often contain birthdates, institutional affiliations, and other details that enrich an attacker’s profile of a target for future fraud.
ShinyHunters: Who They Are
ShinyHunters is one of the most prolific and successful cybercriminal extortion groups operating today. Their track record in 2024–2026 includes:
- Ticketmaster / Live Nation: 560 million customer records, one of the largest breaches in history
- Santander Bank: 30 million customer, staff, and account records across Spain, Chile, and Uruguay
- AT&T: Call and text metadata for nearly all AT&T customers
- Snowflake customer pipeline: A series of breaches leveraging compromised credentials to access data held in Snowflake cloud storage, affecting dozens of organizations
- ADT and McGraw Hill: The current week
The group’s methodology has evolved. Earlier ShinyHunters operations focused on exploiting technical vulnerabilities in web applications. Recent operations increasingly rely on social engineering — specifically vishing and credential phishing — to compromise identity platforms like Okta and then pivot to cloud data stores like Salesforce and Snowflake.
This shift reflects a fundamental truth about modern enterprise security: technical defenses have improved substantially, but the human element remains reliably exploitable.
The Salesforce Pattern
Both the ADT breach and the earlier Ticketmaster breach (through the Snowflake pipeline) share a common destination: cloud-hosted customer data. The migration of customer relationship management and data warehousing to cloud platforms like Salesforce and Snowflake has created concentrated, high-value targets.
A single compromised Salesforce instance can contain the customer records of millions of people. A single compromised Snowflake environment, shared across dozens of enterprise clients, can yield breach data at a scale that was operationally impossible when data was siloed in on-premises systems.
The implication for organizations is not that Salesforce or Snowflake are insecure — they are not. It is that the authentication layer protecting access to these systems (typically managed through Okta or similar SSO platforms) has become the critical security perimeter. And that perimeter is defeated not by technical attack but by a convincing phone call.
What Affected Individuals Should Do
ADT customers — If you are or have been an ADT customer, your name, address, phone number, and potentially partial SSN may have been exposed.
- Monitor your credit reports for unauthorized applications. In the US, you can request free weekly reports from all three bureaus at annualcreditreport.com.
- Place a credit freeze with Equifax, Experian, and TransUnion — the single most effective protection against new account fraud using stolen identity data.
- Be alert to targeted vishing calls that reference your ADT account or your home address — attackers with this data will craft more convincing pretexts.
- Watch for SIM-swap attempts: unexpected loss of mobile service, texts from your carrier about account changes you didn’t make.
McGraw Hill account holders — If you have ever used McGraw Hill educational platforms (Connect, ALEKS, or others), your email address and potentially additional personal details may have been exposed.
- Change your McGraw Hill password and any accounts where you reuse the same password or email combination.
- Enable multi-factor authentication on all accounts linked to your exposed email address.
- Be alert to educational or institutional phishing emails that reference your McGraw Hill account.
For both breaches, report any suspected fraud to the FTC at reportfraud.ftc.gov and your financial institution directly.
Sources: BleepingComputer — ADT · BleepingComputer — McGraw Hill · Help Net Security · Security Boulevard · Have I Been Pwned
